Menu
I've got HTML form for editing images. All data is stored in JSON. When I change current image, I want to save changes, through PHP script, to a text file. If I return to previous image, this configuration will be send again from this file to the form.
My question is:
How to write/read this kind of data safely. Where and how effectively check data to prevent some JS/PHP code injections?
I have attached some concept code below:
JavaScript (using jQuery):
// Writing
$.ajax({
global: false,
type: "POST",
cache: false,
dataType: "json",
data: ({
action: 'write',
config: JavaScriptJSON_Obj
}),
url: 'read-write.php'
});
// Reading
$.ajax({
global: false,
type: "POST",
cache: false,
dataType: "json",
data: ({
action: 'read'
}),
url: 'read-write.php',
success: function(data){
JavaScriptJSON_Obj = data;
}
});
PHP example (read-write.php):
switch ($_REQUEST['action']) {
case 'write':
file_put_contents('config.txt', $_REQUEST['config']);
break;
case 'read':
$s = file_get_contents('config.txt');
echo json_encode($s);
break;
}
395
Another way of writing JSON to a file is by using json. dump() method The JSON package has the “dump” function which directly writes the dictionary to a file in the form of JSON, without needing to convert it into an actual JSON object.
Parse the JSON first into a PHP array and then filter each value in the array as you do with regular request content, you could map the JSON keys to schematic filters and flags/options e.g. This could be worth a pull request at php's GitHub project page. May be needed often to just validate a json string.
To receive JSON string we can use the “php://input” along with the function file_get_contents() which helps us receive JSON data as a file and read it into a string. Later, we can use the json_decode() function to decode the JSON string.
The problem with your code is that it won't work, security issues aside. You must either serialize the data, or encode it to json BEFORE storing it in a file, ie. like this:
switch ($_REQUEST['action']) {
case 'write':
file_put_contents('config.txt', json_encode($_REQUEST['config']));
break;
case 'read':
readfile('config.txt');
break;
}
Serialising works like this:
switch ($_REQUEST['action']) {
case 'write':
file_put_contents('config.txt', serialize($_REQUEST['config']));
break;
case 'read':
$data = unserialize(file_get_contents('config.txt'));
echo json_encode($data);
break;
}
As long as you make sure that the path you read/write to is correct, there are no code injection problems with this code. The only potential problem is if you can choose what file to use (rather than hardcode "config.txt" into the code). Then you'd have to validate to make sure the file is in a given directory etc.
89
First of all: JSON is not JavaScript and vice versa. And JSON is even not a proper subset of JavaScript.
Besides that, since you neither interpret some user input as PHP nor some output as JavaScript, there is no need to worry. But don’t forget to specify your output properly:
header('Content-Type: application/json;charset=utf-8');
$s = file_get_contents('config.txt');
echo json_encode($s);
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
